Fix the Command Injection warnings from Brakeman

diff --git a/app/models/trace.rb b/app/models/trace.rb
index 97800a86822f804f1dba741092a27feeb580dfb3..93486f9edf989c6f0235c662886f4090ab42340e 100644 (file)
--- a/app/models/trace.rb
+++ b/app/models/trace.rb
@@ -220,17 +220,17 @@ class Trace < ApplicationRecord
       file = Tempfile.new("trace.#{id}")
 
       if tarred && gzipped
-        system("tar -zxOf #{trace_name} > #{file.path}")
+        system("tar", "-zxOf", trace_name, :out => file.path)
       elsif tarred && bzipped
-        system("tar -jxOf #{trace_name} > #{file.path}")
+        system("tar", "-jxOf", trace_name, :out => file.path)
       elsif tarred
-        system("tar -xOf #{trace_name} > #{file.path}")
+        system("tar", "-xOf", trace_name, :out => file.path)
       elsif gzipped
-        system("gunzip -c #{trace_name} > #{file.path}")
+        system("gunzip", "-c", trace_name, :out => file.path)
       elsif bzipped
-        system("bunzip2 -c #{trace_name} > #{file.path}")
+        system("bunzip2", "-c", trace_name, :out => file.path)
       elsif zipped
-        system("unzip -p #{trace_name} -x '__MACOSX/*' > #{file.path} 2> /dev/null")
+        system("unzip", "-p", trace_name, "-x", "__MACOSX/*", :out => file.path, :err => "/dev/null")
       end
 
       file.unlink

diff --git a/config/brakeman.yml b/config/brakeman.yml
index 3551b75e41ce0b626c79e8150b2694fabc5c2ba1..48faf7b6dee172064012cee871b58f06fdf65988 100644 (file)
--- a/config/brakeman.yml
+++ b/config/brakeman.yml
@@ -1,6 +1,5 @@
 :skip_checks:
 # These checks are skipped, but should be considered TODO
-- CheckExecute
 - CheckFileAccess
 - CheckRedirect
 - CheckRender